Overview

overview

10

Static

static

10

NotLockBit/22

macos-10.15-amd64

4

NotLockBit/lc

macos-10.15-amd64

1

NotLockBit/lckmac

macos-10.15-amd64

1

Resubmissions

28/03/2025, 15:07

250328-shcdqazj14 10

27/03/2025, 11:12

250327-na8dza1sh1 10

Analysis

  • max time kernel
    71s
  • max time network
    129s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    28/03/2025, 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NotLockBit/22

  • Size

    9.3MB

  • MD5

    37ec80fbc2302d5893cb6984cb1a43e2

  • SHA1

    6c19a41d033ccc39bd42bc2f2e830e1f5808ca15

  • SHA256

    aca17ec46730f5677d0d0a995b65504e97dce65da699fac1765db1933c97c7ec

  • SHA512

    cfb4a5d2a6db39c8c2e48a558164dacef2e59b341a2247870e7fd80cc39ad04e650708065b8c9ef7e139e2e16b8234a45716935b7b86f9314377968389e56d61

  • SSDEEP

    98304:WXt8x60r9yht38/1l6OFjrEaa9cGRXG0WqxEirA+oL2:Yt0cht38T6ospeEUn+d

Score
4/10
defense_evasion

Malware Config

Signatures

  • Resource Forking 1 TTPs 2 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

    defense_evasion

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"/Users/run/NotLockBit/22\""
    1⤵
      PID:467
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"/Users/run/NotLockBit/22\""
      1⤵
        PID:467
      • /usr/bin/sudo
        sudo /bin/zsh -c /Users/run/NotLockBit/22
        1⤵
          PID:467
          • /bin/zsh
            /bin/zsh -c /Users/run/NotLockBit/22
            2⤵
              PID:468
            • /Users/run/NotLockBit/22
              /Users/run/NotLockBit/22
              2⤵
                PID:468
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.quicklook.ui.helper
              1⤵
                PID:502
              • /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                1⤵
                  PID:502
                • /usr/libexec/xpcproxy
                  xpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Archive Utility"
                  1⤵
                    PID:503
                  • /System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility
                    "/System/Library/CoreServices/Applications/Archive Utility.app/Contents/MacOS/Archive Utility" -psn_0_159783
                    1⤵
                      PID:503
                    • /usr/libexec/xpcproxy
                      xpcproxy com.apple.XprotectFramework.AnalysisService 415
                      1⤵
                        PID:504
                      • /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
                        /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
                        1⤵
                          PID:504
                        • /usr/bin/macbinary
                          /usr/bin/macbinary probe --verbose /Users/run/Desktop/payload.zip
                          1⤵
                            PID:505
                          • /usr/bin/file
                            /usr/bin/file -b /Users/run/Desktop/payload.zip
                            1⤵
                              PID:507
                            • /usr/libexec/xpcproxy
                              xpcproxy com.apple.archiveutility.auhelperservice 503
                              1⤵
                                PID:508
                              • /System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService
                                "/System/Library/CoreServices/Applications/Archive Utility.app/Contents/XPCServices/AUHelperService.xpc/Contents/MacOS/AUHelperService"
                                1⤵
                                  PID:508
                                • /System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
                                  /System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
                                  1⤵
                                    PID:510
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.appkit.xpc.sandboxedServiceRunner 503
                                    1⤵
                                      PID:511
                                    • /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner
                                      /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedServiceRunner.xpc/Contents/MacOS/SandboxedServiceRunner
                                      1⤵
                                        PID:511
                                      • /usr/libexec/xpcproxy
                                        xpcproxy com.apple.quicklook.satellite.0FB6E754-0705-4232-85AC-1A81BBA31FB7 512
                                        1⤵
                                          PID:513
                                        • /System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
                                          /System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
                                          1⤵
                                            PID:513
                                          • /usr/libexec/xpcproxy
                                            xpcproxy com.apple.quicklook.ui.helper
                                            1⤵
                                              PID:514
                                            • /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                                              /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                                              1⤵
                                                PID:514
                                              • /usr/libexec/xpcproxy
                                                xpcproxy com.apple.ReportMemoryException
                                                1⤵
                                                  PID:515
                                                • /usr/libexec/ReportMemoryException
                                                  /usr/libexec/ReportMemoryException
                                                  1⤵
                                                    PID:515
                                                  • /usr/libexec/xpcproxy
                                                    xpcproxy com.apple.PerformanceAnalysis.animationperfd
                                                    1⤵
                                                      PID:516
                                                    • /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                                                      /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                                                      1⤵
                                                        PID:516

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • /Users/run/Desktop/payload/settings.json
                                                        Filesize

                                                        478B

                                                        MD5

                                                        b35182a5d0722d6f81654bbf9755bb77

                                                        SHA1

                                                        05203798855cfdf6f32161189ee340efe27386fb

                                                        SHA256

                                                        f9169b9b0d3706f8622513a6be8a722cdcef97826f1e71476439cb387792416c

                                                        SHA512

                                                        584f5d1afd86c2492a344447039c34b2239903af5b27590371226a13bc8668afa106af8bbefcfd75ed61a247ab251c93c51ce8192347b6d5ac53bf2b44bf89f9

                                                        Download Submit